Implementation of the client side of the IETF draft "Signing HTTP Messages"

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for michalc from gravatar.com michalc

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Michal Charemza

Requires: Python >=3.6.3

Classifiers

Project description

http-signature-client CircleCI Test Coverage

Utility function with an HTTP client agnostic Python implementation of the client side of the IETF draft "Signing HTTP Messages". No dependencies other than the standard library, but cryptography would typically be required in client code to load a private key.

Usage

from http_signature_client import sign_headers

signed_headers = sign_headers(key_id, sign, method, path, headers_to_sign)

Recipe: Python requests

from base64 import b64encode
import hashlib

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import load_pem_private_key
import requests
import urllib3

from http_signature_client import sign_headers

class HttpSignatureWithBodyDigest(request.auth.AuthBase):
    def __init__(self, key_id, pem_private_key):
        self.key_id = key_id
        self.private_key = load_pem_private_key(
            pem_private_key, password=None, backend=default_backend())

    def __call__(self, r):
        body_sha512 = b64encode(hashlib.sha512(r.body).digest()).decode('ascii')
        headers_to_sign = tuple(r.headers.items()) + (('digest', f'SHA512={body_sha512}'),)
        parsed_url = urllib3.util.url.parse_url(r.path_url)
        path = parsed_url.path + (f'?{parsed_url.query}' if parsed_url.query else '')
        r.headers = dict(sign_headers(
            self.key_id, self.private_key.sign, r.method, path, headers_to_sign))
        return r

response = requests.post('http://mydomain.test/path', data=b'The bytes',
                         auth=HttpSignature(key_id, pem_private_key))

What's implemented

A deliberate subset of the signature algorithm is implemented:

  • the request-target pseudo-header is signed [to allow the server to verify the method and path]
  • the created pseudo-header is signed [to allow the server to decide to reject if the skew is too large]
  • the headers parameter is sent [to allow the server to verify headers and pseudo-headers]
  • the expires parameter is not sent [the server can decide this using the created parameter];
  • the algorithm parameter is not sent [it should not be used by the server to choose the algorithm].

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for michalc from gravatar.com michalc

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Michal Charemza

Requires: Python >=3.6.3

Classifiers

Release history Release notifications | RSS feed

0.0.23

0.0.22

0.0.21

0.0.19

0.0.18

0.0.17

0.0.16

0.0.15

0.0.14

0.0.13

0.0.12

0.0.11

0.0.10

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

This version

0.0.1

0.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

http-signature-client-0.0.1.tar.gz (2.9 kB view hashes)

Uploaded Source

Built Distribution

http_signature_client-0.0.1-py3-none-any.whl (3.9 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page